Your message dated Thu, 12 Nov 2020 10:50:15 +0000 with message-id <e1kdabd-000bvn...@fasolo.debian.org> and subject line Bug#971048: fixed in samba 2:4.13.2+dfsg-1 has caused the Debian Bug report #971048, regarding samba: CVE-2020-1472 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 971048: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971048 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: samba Version: 2:4.12.5+dfsg-3 Severity: grave Tags: security upstream fixed-upstream Justification: user security hole Forwarded: https://bugzilla.samba.org/show_bug.cgi?id=14497 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2:4.9.5+dfsg-5+deb10u1 Control: found -1 2:4.9.5+dfsg-5 Control: found -1 2:4.5.16+dfsg-1+deb9u2 Control: found -1 2:4.5.16+dfsg-1 Hi, The following vulnerability was published for samba. CVE-2020-1472[0]: | An elevation of privilege vulnerability exists when an attacker | establishes a vulnerable Netlogon secure channel connection to a | domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka | 'Netlogon Elevation of Privilege Vulnerability'. I realize that setting the RC severity might be disputed, given by default since 4.8 versions are not 'vulnerable' unless admins have switched to 'server schannel = no' or 'server schannel = auto' from the default. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2020-1472 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472 [1] https://bugzilla.samba.org/show_bug.cgi?id=14497 [2] https://www.openwall.com/lists/oss-security/2020/09/17/2 [3] https://www.samba.org/samba/security/CVE-2020-1472.html Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: samba Source-Version: 2:4.13.2+dfsg-1 Done: Mathieu Parent <sath...@debian.org> We believe that the bug you reported is fixed in the latest version of samba, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 971...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mathieu Parent <sath...@debian.org> (supplier of updated samba package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 12 Nov 2020 11:23:01 +0100 Source: samba Architecture: source Version: 2:4.13.2+dfsg-1 Distribution: experimental Urgency: medium Maintainer: Debian Samba Maintainers <pkg-samba-ma...@lists.alioth.debian.org> Changed-By: Mathieu Parent <sath...@debian.org> Closes: 946821 946840 956096 956482 971048 971292 973398 973399 973400 973957 Changes: samba (2:4.13.2+dfsg-1) experimental; urgency=medium . * New upstream major version - Update d/gbp.conf, d/watch and d/README.source for 4.13 - Update patches - Bump build-depends ldb >= 2.2.0 - Install new files - Update symbols * Includes the following security fixes: - CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify (Closes: #973400) - CVE-2020-14323: Unprivileged user can crash winbind (Closes: #973399) - CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily crafted records (Closes: #973398) - CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon") (Closes: #971048) * Includes the following fixes: - Fixes "samba_dnsupdate gives depreacation warnings" (Closes: #973957) - s3: libsmbclient.h: add missing time.h include (Closes: #946840) * Remove unused python3-crypto dependency (Closes: #971292) * Enable Spotlight with ES backend (Closes: #956096, #956482) * Standards-Version: 4.5.0 * Add missing Build-Depends-Package in libsmbclient.symbols and libwbclient0.symbols * d/copyright: Fix duplicate-globbing-patterns * Remove outdated/malformed lintian overrides * d/winbind.logrotate: Only reload winbindd when running (Closes: #946821) * Bump to debhelper compat 13 * Add another library-not-linked-against-libc override Checksums-Sha1: ba2a33cfd546e53355ab72fde1ce3ac495bc57bd 4323 samba_4.13.2+dfsg-1.dsc 10d9d7c1710c26830a8861312386924a7f7b3c31 11677920 samba_4.13.2+dfsg.orig.tar.xz 880e473d1ecd854cb8d153decaa30088d0671bbc 244780 samba_4.13.2+dfsg-1.debian.tar.xz 7f9a02ad886eaa0afca36f622f4b9420e949da6c 7137 samba_4.13.2+dfsg-1_source.buildinfo Checksums-Sha256: 8d1ebd38595b8ec64696bfd7447fb6ef384c91dd4a520070f1ebc8eb14abf0a7 4323 samba_4.13.2+dfsg-1.dsc cf5d4c8ef5966cf806a6e94edc8a7acb05955bb05fc4ac8d52ad82bd16beec02 11677920 samba_4.13.2+dfsg.orig.tar.xz 5c4fdae8b112a74dfcc3fbe521d2496310b45c24ccc171c310bb3ed6c0497499 244780 samba_4.13.2+dfsg-1.debian.tar.xz 8363ff93f0e00da8962105525e68c23f72050b8e6b977ba6d50e2b5071549f02 7137 samba_4.13.2+dfsg-1_source.buildinfo Files: 31b392cba19a860817b641a2848e6e0b 4323 net optional samba_4.13.2+dfsg-1.dsc b0a948cd7e88c765baa4993f41729a64 11677920 net optional samba_4.13.2+dfsg.orig.tar.xz b6d202c21a462887dd7eb6ef9e0d31e8 244780 net optional samba_4.13.2+dfsg-1.debian.tar.xz 4f2c0a25c21cc4dfe5b13b747e9e790a 7137 net optional samba_4.13.2+dfsg-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEqqWLhC6ILPQU4Lqxp8cqHHgrjD8FAl+tDXATHHNhdGhpZXVA ZGViaWFuLm9yZwAKCRCnxyoceCuMPzAsEACS6oJhI8Bk4XEY4yn2zOW/iPizXyHS kyNGO0nkDxY2F6oMnvEWBOXfOzrIqimDkCmKWO881qa3ZkRpETj5+vA6iqS9iowQ /Z4IpSYHovULwDT90AK767OaPTT/05pvqGRyI9ndjGpIrdhFD6UFGgMplVEUZe8m qL99YJ2G2rJ1j4uQ8YxXS1Hfw22AZKFS9q7n5bCym/yxL8Ng9fuszhPFFDHMUCWp z7pd6YFDtvhXafZLblGrbSI+N48bHjgNDoOOBXkxhiXrFDJMH8F0nspkbKmaO67H IUs8e85lXdmkO1Qfd9e9Boo/AGuxcvfD/ICyeeNgh0tk9fZdp+RXtD6j3EM2RCmJ 5fDjPM51xB15CAKxOiURCP3kRV5QF1oMDrMDU7HRgATiO2gKWr7NavXmc5ZR+mU8 qpk9K8FPbAU2FhqaKX2EZPFS4teraM9aT5wLavrLiJ5ChMIXCANSU1CtxIAExZHk 7V3wiUbWbVG5Bck7zYAvdl14Jie1dQqu6MZn1CJqoEYLgjh/YmpKt1YXZixloM0Z xRZI0sf8LTmUAxHXNW1FJeYaTgKLY4mPrWG6knwgtsSKzlewj9/CIpEtkToyKkfg G4DvpB0VNEByrnYxZqDdkAvscH/to0f5cpAkMq6bzn2vbdjdfyRV+wZhUQOaFGjH za5uusXG2XldmA== =mHRN -----END PGP SIGNATURE-----
--- End Message ---
